6
Decision Making and Oversight

This chapter describes decision making about and oversight of cyberattack as an instrument of U.S. national policy, focusing on issues usually associated with the Department of Defense and intelligence communities.

6.1EXECUTIVE BRANCH

The discussion below—addressing declaratory policy, acquisition policy, and employment policy—draws from discussions of nuclear history and policy,1 not because cyberweapons and nuclear weapons are similar (they are not), but because such discussions have highlighted the importance of several issues discussed below. That is, the committee found that nuclear history and policy are useful points of departure—framing notions and metaphorical checklists—for understanding policy regarding cyberattack but not that the conclusions that emerge from nuclear policy and history are directly applicable.

Citation Manager

"6 Decision Making and Oversight."
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities.
Washington, DC: The National Academies Press, 2009.

Please select a format:

Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 214
6
Decision Making and Oversight
This chapter describes decision making about and oversight of
cyberattack as an instrument of U.S. national policy, focusing on issues
usually associated with the Department of Defense and intelligence
communities.
6.1 EXECUTIVE BRANCH
The discussion below—addressing declaratory policy, acquisition pol-
icy, and employment policy—draws from discussions of nuclear history
and policy,1 not because cyberweapons and nuclear weapons are similar
(they are not), but because such discussions have highlighted the impor-
tance of several issues discussed below. That is, the committee found
that nuclear history and policy are useful points of departure—framing
notions and metaphorical checklists—for understanding policy regarding
cyberattack but not that the conclusions that emerge from nuclear policy
and history are directly applicable.
1 Robert S. Norris, “The Difficult Discipline of Nuclear History: A Perspective,” a
presentation at the Carnegie Conference on Non-Proliferation, November 7, 2005, avail-
able at http://www.carnegieendowment.org/static/npp/2005conference/presentations/
Norris_Nuclear_History_Slides.pdf, and David M. Kunsman and Douglas B. Lawson,
A Primer on U.S. Strategic Nuclear Policy, Sandia National Laboratories, Albuquerque,
N.Mex., January 2001, available at http://www.nti.org/e_research/official_docs/labs/
prim_us_nuc_pol.pdf.
4

OCR for page 214
DECISION MAKING AND OVERSIGHT
6.1.1 Declaratory Policy
6.1.1.1 The Need for Declaratory Policy
Declaratory policy states, in very general terms, why a nation acquires
certain kinds of weapons and how those weapons might be used. For
example, the declaratory policy of the United States regarding nuclear
weapons is stated in The National Military Strategy, last published in
2004:2
Nuclear capabilities [of the United States] continue to play an impor-
tant role in deterrence by providing military options to deter a range of
threats, including the use of WMD/E and large-scale conventional forces.
Additionally, the extension of a credible nuclear deterrent to allies has
been an important nonproliferation tool that has removed incentives for
allies to develop and deploy nuclear forces.
By contrast, the declaratory policy of Israel regarding nuclear weap-
ons is that it will not be the first nation to introduce nuclear weapons in
the Middle East. The declaratory policy of China regarding nuclear weap-
ons is that it will not be the first to use nuclear weapons under any cir-
cumstances. The Soviet Union once had a similar “no first use of nuclear
weapons” declaratory policy, but Russia has since explicitly revoked that
policy. U.S. declaratory policy has also evolved since 1945—“massive
retaliation,” “flexible response,” and “escalation dominance” are some
of the terms that have characterized different versions of U.S declaratory
policy regarding nuclear weapons in that period.
Declaratory policy is not necessarily linked only to the use of nuclear
weapons. In 1969, the United States renounced first use of lethal or inca-
pacitating chemical agents and weapons and unconditionally renounced
all methods of biological warfare.3 In 1997, the United States ratified the
Chemical Weapons Convention, which prohibits the signatories from
using lethal chemical weapons under any circumstances.
Declaratory policy is directed toward adversaries as much as it is to
the declaring nation itself. A declaratory policy is intended, in part, to sig-
nal to an adversary what the declaring nation’s responses might be under
various circumstances. On the other hand, a declaratory policy may also
be couched deliberately in somewhat ambiguous terms, leaving some-
what vague and uncertain the circumstances under which the declaring
nation would use nuclear weapons. Such vagueness and uncertainty have
historically been regarded by the United States as a strength rather than
2 Joint Chiefs of Staff, The National Military Strategy of the United States of America, 2004,
available at http://www.strategicstudiesinstitute.army.mil/pdffiles/nms2004.pdf.
3 See http://www.state.gov/t/ac/trt/4718.htm.

OCR for page 214
TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES
a weakness of such policies, on the grounds that uncertainty about a U.S.
response is an essential part of deterring other nations from taking hostile
action against its interests. By contrast, a declaratory policy that is highly
explicit may be perceived as limiting a nation’s options in a crisis and
telegraphing its intent to some extent, thus simplifying an adversary’s
planning process.
Yet another related issue is whether another nation should believe
a nation’s declaratory policy. For example, the Soviet Union formally
adopted an explicit “no-first-use” policy regarding nuclear weapons in
1982, but many military analysts gave little credence to that statement.
On one hand, no immutable law mandates consistency between prior
declaratory policy and subsequent action, and declaratory policy need
not constrain actual practice. On the other hand, declaratory policy may
influence a nation’s armed forces’ training and doctrine. If, for example,
the declaratory policy states that a nation will not use weapon X, and its
armed forces do not train to use weapon X, and its military doctrine does
not contemplate the use of weapon X, that nation may well be ill-prepared
to use weapon X in practice even if its leaders decide to act in violation of
the stated declaratory policy.
6.1.1.2 Present Status
For the use of cyberweapons, the United States has no declaratory
policy, although the DOD Information Operations Roadmap of 2003 stated
that “the USG should have a declaratory policy on the use of cyberspace for
offensive cyber operations.” The 2006 National Military Strategy for Cyberspace
Operations indicates that “as a war-fighting domain . . . cyberspace favors
the offense . . . an opportunity to gain and maintain the initiative.”4 This
statement is the beginning of a declaratory policy, but it is incomplete.
A declaratory policy would have to answer several questions.
• For what purposes does the United States maintain a capability for
cyberattack?
• Do cyberattack capabilities exist to fight wars and to engage in
covert intelligence or military activity if necessary, or do they exist primar-
ily to deter others from launching cyberattacks on the United States?
• If they exist to fight wars, are they to be used in a limited fashion?
On the basis of what is known publicly, it is possible to formulate
what might be called an implied declaratory policy of the United States
on cyberwarfare. (Of course, the notion of an implied declaratory policy
4 See http://www.dod.mil/pubs/foi/ojcs/07-F-2105doc1.pdf.

OCR for page 214
DECISION MAKING AND OVERSIGHT
is itself an oxymoron—a declaratory policy that is not explicitly stated is
hardly declaratory. Rather, what follows below is an example of a declara-
tory policy that would be consistent with what is known publicly.)
The United States acquires cyberattack capabilities as part of its overall
deterrent posture, which is based on full spectrum dominance—the abil-
ity to control any situation or defeat any adversary across the range of
military operations. Cyberattack capabilities provide the U.S. military
and intelligence communities with additional options for action and
use, and are thus intended for use just as any other weapons could be
used in support of U.S. military or intelligence objectives. Cyberattack
capabilities are to be fully integrated into U.S. military operations when
appropriate, and distinctions between cyberattack and kinetic force are
not meaningful except in an operational context. Cyberattack capabilities
may be particularly useful to the United States in many conflict scenarios
short of all-out war.
In addition, two other questions are often included under the rubric
of declaratory policy:
• How is cyberconflict to be stopped?
• To the extent that cyberattack is part of the U.S. deterrent posture,
how can its use be established as a credible threat?
In the nuclear domain, concerns have always been raised about
nuclear strikes against an adversary’s strategic command and control
system. The issue has been that such strikes could seriously impair war
termination efforts by disconnecting the political leadership of a nation
from the nuclear-armed forces under its control, leaving the question of
how nuclear hostilities might be terminated.
The use of large-scale cyberattacks against the communications infra-
structure of an adversary might well lead to similar concerns. Such attacks
could result in the effective disconnection of forces in the field from the
adversary’s national command authority, or sow doubt and uncertainty in
an adversary’s military forces about the reliability of instructions received
over their communications infrastructure. Again, under such circum-
stances, termination of hostilities might prove problematic (and if the
adversary were a nuclear-armed nation, sowing such doubt might seri-
ously run counter to U.S. interests).
Regarding the credibility of nuclear use, the United States does much
through its declaratory (and acquisition) policy to encourage the percep-
tion that there are circumstances under which the United States might use
nuclear weapons, and it conducts large-scale military exercises involv-
ing nuclear forces in part to demonstrate to the world that it is capable

OCR for page 214
TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES
of mustering nuclear forces that could be brought to bear in any given
situation.
The situation is entirely reversed with respect to cyberwarfare. U.S.
policy regarding the use of cyberweapons is shrouded in secrecy, and the
lack of public discussion regarding U.S. policy in this domain almost by
definition does not contribute to deterrence.
Finally, the National Military Strategy of the United States of America of
2004 also states:5
The term WMD/E relates to a broad range of adversary capabilities
that pose potentially devastating impacts. WMD/E includes chemical,
biological, radiological, nuclear, and enhanced high explosive weapons
as well as other, more asymmetrical “weapons.” They may rely more on
disruptive impact than destructive kinetic effects. For example, cyber
attacks on US commercial information systems or attacks against trans-
portation networks may have a greater economic or psychological effect
than a relatively small release of a lethal agent.
Coupled with the declaratory policy on nuclear weapons described
earlier, this statement implies that the United States will regard certain
kinds of cyberattacks against the United States as being in the same
category as nuclear, biological, and chemical weapons, and thus that a
nuclear response to certain kinds of cyberattack (namely, cyberattacks
with devastating impacts) may be possible. It also sets the relevant scale—
a cyberattack that has an impact larger than that associated with a rela-
tively small release of a lethal agent is regarded with the same or greater
seriousness.
6.1.1.3 Alternative Declaratory Policies
Simply as illustration (and not as endorsement), the following dis-
cussion incorporates and addresses hypothetical declaratory policies (or
elements thereof) regarding cyberattack.
• No large-scale cyberattacks. Although weapons for cyberattack are
valid and legitimate military weapons to be deployed and used
in support of U.S. interests, the United States will unilaterally
refrain from conducting against nations cyberattacks that would
have the potential for causing widespread societal devastation and
chaos. Accordingly, the United States will refrain from conducting
cyberattacks against a nation’s electric power grids and financial
5 Joint Chiefs of Staff, The National Military Strategy of the United States of America, 2004,
available at http://www.strategicstudiesinstitute.army.mil/pdffiles/nms2004.pdf.

OCR for page 214
DECISION MAKING AND OVERSIGHT
systems if such attacks would have a significant potential for affect-
ing national economies.
Such a policy would seek to delegitimize the use of large-scale cyber-
attacks as an instrument of national policy by any nation in much the
same way that the unilateral U.S. renunciation of biological weapons
contributed to stigmatizing use of such weapons by any nation. The ben-
efit to the United States if such stigmatization occurred would be a lower
likelihood that it would experience such an attack.
• No first use of large-scale cyberattacks. Although weapons for cyberat-
tack are valid and legitimate military weapons to be deployed and
used in support of U.S. interests, the United States will not be the
first nation in a conflict to conduct against nations cyberattacks that
would have the potential of causing widespread societal devasta-
tion and chaos. Nevertheless, the United States reserves the right
to conduct such attacks should it be subject to such attacks itself.
Such a policy would seek to discourage the use of large-scale cyberat-
tacks as an instrument of national policy by any nation. However, the U.S.
stance on the use of large-scale cyberattacks would be based primarily
on threatening in-kind retaliation rather than setting an example. As in
the previous case, the benefit to the United States if such stigmatization
occurred would be a lower likelihood that it would experience such an
attack.
• No first use of cyberattacks through the Internet and other public net-
works. The U.S. government will refrain from using the Internet
and other public networks to conduct damaging or destructive
acts, and will seek to prevent individuals and organizations within
its authority from doing so, as long as other nations do the same.
Such a policy would seek to discourage the use of cyberattacks
through the Internet as an instrument of national policy by any nation,
presumably based on a rationale that sees the Internet as a global public
utility whose benefits to the world’s nations are outweighed by any tem-
porary military advantage that might be gained through Internet-based
cyberattacks. Again, the U.S. stance on the use of such cyberattacks would
be based primarily on threatening in-kind retaliation rather than example-
setting. The benefit to the United States would be that it (and especially
its civilian sector) would be more likely to continue to enjoy the benefits
of Internet connectivity.

OCR for page 214
0 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES
• National responsibility for cyberattacks. Nations are responsible for
cyberattacks that emanate from their soil, whether or not their
national governments have initiated such actions. If they have not,
national governments are responsible for taking actions that lead
or help lead to the cessation of such actions. The United States
reserves the right to take unilateral action if a nation fails to take
action to respond to cyberattacks emanating from its soil.
Such a policy would codify for cyberattack a legal principle that is
foundational to international law regarding neutrality, self-defense, and
the laws of armed conflict (discussed further in Chapter 7)—that nations
are responsible for military conduct emanating from their territories and
affecting other nations. The benefit of such a policy would be to make
explicit what is already U.S. policy regarding kinetic attacks.
6.1.1.4 The Relationship Between Declaratory Policy and
International Agreements
Declaratory policy might also be replaced or complemented by bilat-
eral or multilateral agreements, much as nations have sometimes agreed
to certain standards of behavior for their navies on the high seas when
interacting with the navies of nations also party to those agreements. This
point is addressed in more detail in Chapter 10.
6.1.2 Acquisition Policy
The acquisition of capabilities is, in principle, driven by statements
of need—that is, how the U.S. military (for instance) may effectively take
advantage of a given capability. Much has been written about the drivers
of military acquisition, and a key driver that emerges from these writ-
ings is the anticipation that an adversary has or will acquire a particular
military capability to which the nation must respond quickly by itself
acquiring a similar or countering capability.6
Acquisition policy addresses issues such as how much should be
spent on weapons of various kinds, how many of what kind should be
acquired on what timetable, and what the characteristics of these weapons
should be. A statement of acquisition policy regarding nuclear weapons
might say something like “the United States must deploy in the next
2 decades 500 land-based new ICBMs with 10 nuclear warheads apiece,
6 See, for example, Stephen Rosen, Chapter 7, “What Is the Enemy Building?” in Win-
ning the Next War: Innoation and the Modern Military, Cornell University Press, Ithaca, N.Y.,
1991.

OCR for page 214
DECISION MAKING AND OVERSIGHT
each with a kill probability (Pk) of 90 percent against targets hardened to
withstand overpressures of 2000 pounds per square inch.” For a standoff
munition, a statement of acquisition policy might say something like “the
United States must acquire, at a rate of 1000 per year, a standoff ‘fire-and-
forget’ munition carrying a 250-pound explosive warhead capable of
being launched from a range of 30 kilometers with a Circular Error Prob-
able of 1 meter against moving targets under all weather and battlefield
conditions.”
The acquisition process also requires that a weapon in acquisition be
subject to an internal review prior to production to determine if use of
the weapon would conflict with existing international obligations (e.g.,
arms control treaties or customary international standards of necessity,
proportionality, and discrimination in the law of armed conflict). Not
surprisingly, such review is undertaken using DOD interpretations of the
law of armed conflict, which outside analysts sometimes criticize as being
overly narrow. These reviews are generally not classified, but in general,
they have not been made widely available.
Finally, the acquisition process requires that certain weapons undergo
operational testing and evaluation before large-scale production. Opera-
tional testing and evaluation (OT/E) involves field testing under realis-
tic combat conditions for the purpose of determining the effectiveness
and suitability of a weapon for use in combat by typical military users.
However, only weapons procured through a major defense acquisition
program are subject to this OT/E requirement, and in particular weapons
procured through a highly sensitive classified program (as designated by
the secretary of defense) are exempt from this requirement.
In principle, this process also applies to the acquisition of cyberweap-
ons, or more precisely, capabilities for cyberattack. (It would be rare that
a “cyberweapon” takes the same form as a kinetic weapon, in the sense
of a package that can be given to a military operator as a rifle or a fighter
jet can be given. Rather, operators who launch cyberattacks are likely to
have a variety of tools at their disposal for conducting an attack.) But
acquiring capabilities (tools) for cyberattack differs in important ways
from acquiring ordinary weapons, raising a number of issues for the
acquisition process.
For example, the rapid pace of information technology change places
great stress on acquisition processes for cyberattack capabilities (and for
cyberdefense as well). A second important point is that the acquisition cost
of software-based cyberattack tools is almost entirely borne in research
and development, since they can be duplicated at near-zero incremental
cost. By contrast, procurement is a major portion of the acquisition cost
for kinetic weapons. Thus, a testing and evaluation (T/E) regime timed
to occur after R&D is unlikely to apply to cyberweapons. The absolute

OCR for page 214
TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES
acquisition cost of cyberweapons is also likely to be significantly smaller
than those of kinetic weapons, thus exempting cyberweapons from T/E
regimes linked to acquisition cost.7
A third point is that the acquisition process presumes that it is the
only way to procure weapons. But cyberattack capabilities are so inex-
pensive to acquire that they could be acquired through operations and
maintenance (O/M) funds (and may be legal as well). For example, under
the rubric of upgrading the cybersecurity posture of an installation, a sys-
tem administrator might well obtain tools designed to test its computer
security (that is, to support a “red team” penetration test) and acquire
these tools through O/M funds. But these very same tools could provide
capabilities that could be used against adversary computers.
A second way to acquire cyberattack capability is to purchase services
that provide them. For example, botnets (discussed in Section 2.2.5.1.1)
can be rented at relatively low cost—informed estimates vary, but are
reported to be on the order of a few thousand dollars for a botnet consist-
ing of tens of thousands of zombies for a few days. Renting a botnet may
be a much more efficient method for acquiring the afforded capabilities
than developing a botnet on one’s own, and indeed the Estonian minister
of defense has asserted that the cyberattack on Estonia was conducted by
botnets that were rented for that purpose.8
Of course, the rental of botnets contributes to the furtherance of a
criminal enterprise, as the botnet owner/operator has broken U.S. law in
assembling the botnet (presuming the owner/operator is subject to U.S.
jurisdiction). An important policy question is whether it is appropriate for
the United States to work with known criminals to pursue foreign policy
objectives. More generally, the United States could “outsource” certain
kinds of cyberattack to criminal hackers, especially if it wanted to leave
no trace of such work, and incentivize such work by allowing the hackers
to keep some or all of the financial resources they might encounter. Such
cooperation has some precedent in U.S. history—for example, the Cen-
tral Intelligence Agency sought to recruit the Mafia in 1960 to kill Fidel
Castro9—though such instances have hardly been uncontroversial.
Related is the fact that the computers of third parties, such as innocent
7 For example, a major defense acquisition program is defined by statute as one esti-
mated to require an eventual total expenditure for research, development, testing, and evalu-
ation of more than $300 million (in FY 1990 constant dollars) or an eventual total expenditure
for procurement of more than $1.8 billion (in FY 1990 constant dollars). Programs for acquir-
ing cyberattack capabilities and tools are likely to cost far less than these amounts.
8 William Jackson, “Cyberattacks in the Present Tense, Estonian Says,” Goern-
ment Computing News, November 28, 2007, available at http://www.gcn.com/online/
vol1_no1/45476-1.html.
9 Glenn Kessler, “Trying to Kill Fidel Castro,” Washington Post, June 27, 2007, p. A06.

OCR for page 214
DECISION MAKING AND OVERSIGHT
civilians in a nation of choice, might also be compromised in order to
support a cyberattack. These computers can be configured as “weapons
for cyberattack” at will by the real attacker at essentially zero cost, even
though they increase his attack capabilities by orders of magnitude, and
because such scenarios were never envisioned by the traditional acquisi-
tion process, it is only a matter of policy that might inhibit the United
States from doing so.
Acquisition policy should also address the issue of the proper balance
of resource allocation. The absolute budget sums involved in acquir-
ing cyberattack capabilities are relatively small, as noted in Chapter 2.
But serious defensive efforts are very expensive, not least for reasons of
scale—the sheer volume of computer systems and networks that must be
protected. Thus, acquisition policy necessarily affects the balance between
conventional military assets and cyber military assets and procedures on
the defensive side. Given the dependence of today’s military forces on
information technologies, some analysts have argued that present-day
acquisition policies do not pay sufficient attention to cybersecurity and
defensive operations.
The above discussion of acquisition policy relates primarily to the
defense community. But the intelligence community must also acquire
various capabilities to support its intelligence collection and covert action
missions. Of particular significance for acquisition policy is that a tool
to collect intelligence information from an adversary computer system
or network can—at little additional cost—be modified to include certain
attack capabilities, as described in Section 2.6. Indeed, the cost of doing
so is likely to be so low that in the most usual cases, acquisition managers
would probably equip a collection tool with such capabilities (or provide
it with the ability to be modified on-the-fly in actual use to have such
capabilities) as a matter of routine practice.
6.1.3 Employment Policy
Employment policy specifies how weapons can be used, what goals
would be served by such use, and who may give the orders to use them.
Such policy has a major influence on how forces train (e.g., by driving the
development and use of appropriate training scenarios).
One key question of employment policy relates to the necessary com-
mand and control arrangements. For example, although U.S. doctrine
once did not differentiate between nuclear and non-nuclear weapons,10
10 In 1954, President Eisenhower was asked at a press conference (March 16, 1954)
whether small atomic weapons would be used if war broke out in the Far East. He said, “Yes,
of course they would be used. In any combat where these things can be used on strictly mili-

OCR for page 214
4 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES
this is most surely not the case today. Nuclear weapons are universally
regarded as worthy of special attention, policies, and procedures, and
their use is tightly controlled and highly centralized—more so than any
other weapon in the U.S. arsenal. Whether similar arrangements will be
made for cyberweapons in the future remains to be seen, although the
discussion in Chapter 3 suggests that the command and control arrange-
ments of today are not as centralized.
A second key question of employment policy is the targets of such
weapons. Some targets are off-limits by virtue of the LOAC and other
relevant international law. But the propriety of attacking other kinds of
targets is often determined by doctrine and views of the adversary.
For example, in the nuclear strategy of the Cold War, considerable
debate arose about the propriety of targeting adversary nuclear forces.
Advocates of prompt hard-target kill capabilities (that would use a bal-
listic missile against a hardened adversary missile silo) argued that the
adversary (generally the leaders of the Soviet Union) placed great value
on their instruments of national power, such as their nuclear forces, and
that placing such instruments at risk would help to deter actions that
worked against the interests of the United States. Opponents of such
targeting argued that threatening to destroy such targets only increased
the likelihood that the adversary would launch its missiles on warning of
attack, thus making accidental launch more likely.
Given that there are no cyber equivalents of hardened missile silos
that constitute an adversary’s retaliatory forces, no credible threat of
annihilation, and no equivalent of launch on warning for cyber forces,
nuclear strategy does not provide guidance for cyber targeting. What
targets might or might not be appropriate for cyberattack and under
what circumstances would this be so? From what can be determined from
public statements, the DOD believes that cyberattack has military utility,
and thus the use of cyberattack is subject to constraints imposed by the
law of armed conflict.
At the same time and apart from the need to comply with the LOAC,
good reasons may exist for eschewing certain kinds of cyberattack against
certain kinds of target for reasons other than those related to operational
efficacy. For example, cyberwarfare provides tools that can be focused
directly on messaging and influencing the leadership of an adversary
tary targets and for strictly military purposes, I see no reason why they shouldn’t be used
just exactly as you would use a bullet or anything else.” (See Eisenhower National Historic
Site, National Park Service, at http://www.nps.gov/archive/eise/quotes2.htm.) Indeed, in
1953, the U.S. National Security Council noted that “in the event of hostilities, the United
States will consider nuclear weapons to be as available for use as other munitions.” (U.S. Na-
tional Security Council (NSC), “Basic National Security Policy,” NSC Memorandum 162/2,
October 30, 1953, available at http://www.fas.org/irp/offdocs/nsc-hst/nsc-162-2.pdf.)

OCR for page 214
TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES
respond promptly to various strategic contingencies. A number of impor-
tant questions arise in this context—the large amount of intelligence infor-
mation likely to be needed for such options, the timeliness of information
collected to support preplanned options, and indeed the actual value of
prompt cyber response under various circumstances.
A third important issue is ensuring that cyberattack activities are suf-
ficiently visible to higher authorities, including the political leadership. It
is an unfortunate reality that during times of crisis, military actions that
would normally be regarded as routine or “small” can lead to mispercep-
tions of strategic significance. For example, routine air reconnaissance
undertaken during times of crisis can be interpreted as a prelude to attack.
In a cyberattack context, analogs could include the routine gathering of
intelligence that is needed to support a cyberattack (e.g., port scans of
Zendian systems) or the self-defense neutralization of an active cyber-
attack threat from a Zendian patriotic hacker under standing rules of
engagement. The possibility is very real that Zendian authorities might
perceive such activities as aggressive actions associated with a planned
and deliberate cyberattack by the United States.
Keeping the political leadership informed of such activities is a prob-
lem even when considering traditional military operations. But because
the resources and assets needed to conduct cyberattacks are small by
comparison and the potential impact still large, it may be more diffi-
cult for higher authorities to stay informed about activities related to
cyberattack.
Finally, the United States has a long-standing policy not to use cyber-
attack or cyberexploitation to obtain economic advantage for private com-
panies (as noted in Section 4.1.2). However, the economic domain is one
in which the operational policies of adversaries are markedly different
from those of the United States. That is, adversaries of the United Staes
are widely believed to conduct cyber-espionage for economic advan-
tage—stealing trade secrets and other information that might help them
to gain competitive advantage in the world marketplace and/or over U.S.
firms. As noted in Section 2.6.2, the intelligence services of at least one
major nation-state were explicitly tasked with gathering intelligence for
its potential economic benefits. This asymmetry between U.S. and foreign
policies regarding cyberexploitation is notable.
The committee also observes that national policy makers frequently
refer to a major and significant cyberthreat against the United States
emanating from many actors, including major nation-states. The result
in recent years has been an upsurge of concern about the disadvantaged
position of the United States in the domain of cyberconflict, and is most
recently reflected in the still largely classified Comprehensive National
Cybersecurity Initiative resulting from the National Security Presiden-

OCR for page 214
DECISION MAKING AND OVERSIGHT
tial Directive 54/Homeland Security Presidential Directive 23 of January
2008.11
On the other hand, the committee’s work has underscored many of
the uncertainties that underlie any serious attempt by the United States
to use cyberattack as an instrument of national policy. Moreover, military
planners often engage in worst-case planning, which assumes that more
things will go right for an adversary than for oneself. Thus, attack plan-
ners emphasize the uncertainties of an attack and assume that the defense
will be maximally prepared and lucky. Defensive planners emphasize the
uncertainties of defense and assume that the attacker will be maximally
prepared and lucky.
In short, the committee sees a marked asymmetry in the U.S. percep-
tion of cyberattack—“they” (the adversary) are using cyberattack means
effectively against us (the United States), but it would be difficult (though
not impossible) for us to use such means effectively against them.
The question thus arises, What might be responsible for this percep-
tion? One factor is the conflation of cyberattack and cyberexploitation
in the public discourse (see Box 1.4 in Chapter 1). As noted by General
Kevin Chilton, commander of the U.S. Strategic Command, many of the
incidents that are billed as cyberattacks are, more accurately, just old-fash-
ioned espionage—people looking for information who don’t necessarily
represent military threats.12 Thus, if the public discourse uses the term
“cyberattack” (what this discussion calls cyberattack-AUIPD, for “cyber-
attack as used in public discourse,” to distinguish usages) to include
cyberexploitation, then the balance is between adversary cyberattacks-
AUIPD (which would include what this report terms “cyberattack” [note
absence of a tag] and which are largely espionage conducted for economic
benefit) and U.S. “cyberattacks-AUIPD” (which by policy do not involve
either cyberattack or cyberexploitation conducted for economic benefit),
and in such a balance, adversary cyberattacks-AUIPD will obviously
seem to be much more effective than those of the United States.
A third important factor contributing to this perception is the fact
11 Public reports indicate that this initiative has 12 components intended to reduce to 100
or fewer the number of connections from federal agencies to external computer networks,
and to make other improvements in intrusion detection, intrusion prevention, research and
development, situational awareness, cyber counterintelligence, classified network security,
cyber education and training, implementation of information security technologies, deter-
rence strategies, global supply chain security, and public/private collaboration. The cost of
this initiative has been estimated at $40 billion. See, for example, Jill R. Aitoro, “National
Cyber Security Initiative Will Have a Dozen Parts,” Nextgo, August 1, 2008, available at
http://www.nextgov.com/nextgov/ng_20080801_9053.php.
12 Wyatt Kash, “Cyber Chief Argues for New Approaches,” Goernment Computer News,
August 22, 2008, available at http://gcn.com/articles/2008/08/22/cyber-chief-argues-for-
new-approaches.aspx.

OCR for page 214
TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES
that as noted in earlier chapters, the United States provides only limited
assistance to the private sector when it comes under cyberattack and
restricts the ability of the private sector to engage in self-help activities (as
discussed in Section 5.2), and it refrains from sharing intelligence informa-
tion that would benefit individual private sector companies (as discussed
in Section 4.1). Some other nations do not practice such restraint. The com-
mittee speculates that this asymmetry in policy may account for at least
some of the perception of asymmetric advantage derived by others.
If these observations are accurate, what—if anything—can be
done about it?
Regarding the conflation of cyberattack and cyberexploitation in pub-
lic discourse, there is no remedy except to insist that a user of the term
“cyberattack” make clear what is included under the rubric of the term
he or she is using. If the many foreign cyberexploitation efforts were not
described as “cyberattack,” the level of tension over cyberattack would
be knocked down to a considerable degree.
The case for the current U.S. policy regarding eschewing the use of
U.S. intelligence agencies for the benefit of private firms is largely based
on the desire of the United States to uphold a robust legal regime for the
protection of intellectual property and for a level playing field to enable
competitors from different countries to make their best business cases
on their merits. If this policy position is to be revised, it seems that two
of the most prominent possibilities are that (1) intelligence gathering for
economic purposes ceases for all nations, or (2) the United States uses
its intelligence-gathering capabilities (including cyberexploitation) for
economic purposes. Under traditional international law, espionage—for
whatever purpose—is not banned, and thus the first possibility suggests
a need to revise the current international legal regime with respect to the
propriety of state-sponsored economic espionage. The second possibility
raises the prospect that current restraints on U.S. policy regarding intel-
ligence collection for the benefit of private firms might be relaxed.
Both of these possibilities would be controversial, and the commit-
tee takes no stand on them, except to note some of the problems associated
with each of them. The first—a change in the international legal regime to
prohibit espionage—would require a consensus among the major nations
of the world, and such a consensus is not likely. The second—a unilateral
change in U.S. policy—does not require an international consensus, but
has many other difficulties. For example, the U.S. government would
have to decide which private firms should benefit from the government’s
activities, and even what entities should count as a “U.S. firm.” U.S. gov-
ernment at the state and local level might well find that the prospect of
U.S. intelligence agencies being used to help private firms would not sit
well with foreign companies that they were trying to persuade to relocate

OCR for page 214
DECISION MAKING AND OVERSIGHT
to the United States. And it might well undercut the basis on which the
United States could object to other nations conducting such activities for
the benefit of their own domestic industries and lead to a “Wild West”
environment in which anything goes.
After all is said and done, it may turn out that the most desirable
(least undesirable) option for the United States is to learn to live with the
current asymmetry. But if that is indeed the case, it should reflect a delib-
erate and considered assessment of the pros and cons of various options
that in the committee’s view has not yet been engaged.
6.1.4 Operational Oversight
Operations translate employment policy into reality. In practice, the
U.S. armed forces operate on a worldwide basis and have many ongoing
operations at any given time. For example, they constantly gather intelli-
gence and reconnaissance information. Some of those operations are sensi-
tive, in that they might be seen as provocative or otherwise inappropriate.
Thus, the U.S. government has established a variety of mechanisms
intended to ensure that such operations are properly overseen. For
example, the U.S. government sometimes specifies criteria in advance
that define certain sensitive military missions, and then requires that
all such missions be brought to the attention of senior decision makers
(e.g., the National Security Council staff). In rare cases, a mission must be
approved individually; more typically, generic authority is granted for a
set of missions that might be carried out over a period of many months
(for example). The findings and notification process for covert action is
another mechanism for keeping the executive and legislative branches
properly informed. From time to time these mechanisms are unsuccessful
in informing senior decision makers, and it is often because the individual
ordering the execution of that mission did not believe that such an order
required consultation with higher authority.
In a cyberattack context, oversight issues arise at two stages—at the
actual launch of a cyberattack and in activities designed for intelligence
preparation of the battlefield to support a cyberattack.
6.1.4.1 Launching a Cyberattack
Another important operational issue involves delegation of authority
to launch a cyberattack as part of an active defense of U.S. computer sys-
tems and networks. As noted in Chapter 3, the U.S. Strategic Command
has authority to conduct such attacks for active defense under a limited
set of circumstances. But it is not known how far down the chain of com-
mand such authority has been delegated.

OCR for page 214
0 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES
The most extreme form of delegation would call for an entirely auto-
mated active defense—and indeed the U.S. Air Force has issued a call for
proposals to develop a “cyber control system” that “will enable active
defense operations [involving] automated responses (based on predefined
Rules of Engagement) . . . , in response to network intrusions/attacks.” 13
Automated responses are regarded as being militarily necessary when
there is insufficient time for humans to make decisions about the nature of
a response and any given situation may present insufficient time because
of the fleeting nature of the opportunity to strike back or because of the
harm that rapidly accrues if the attack is not stopped (though consider-
ation of other factors such as appropriate rules of engagement may pre-
vent such weapons from being deployed in any given situation). Both of
these factors could characterize certain kinds of cyberattacks on certain
targets in the United States.
On the other hand, the risks of error or inadvertent escalation are gen-
erally regarded as greatest when humans are not in the decision-making
loop. Despite periodic calls for the nuclear command and control system
to be automated so as to ensure that retaliation would take place in the
event of a Soviet nuclear attack, the United States has always relied on
humans (the President and the National Command Authority) to make
the ultimate decision to release U.S. strategic forces. (Even so, many have
criticized these arrangements as pro forma, arguing that in practice they
are not much better than an automated launch decision, because they give
the NCA too little time to evaluate the information available about the
alleged incoming attack.)
An assessment of the wisdom of an automated response to a cyberat-
tack depends on several factors, including the likelihood that adequate
and correct information will be available in a short period of time to
develop an access path back to the attacker, the likely consequences of a
cyberattack response, and the possible consequences of a misdirected or
inappropriately launched counterattack. In the case of nuclear command
and control, these factors—primarily the last—indicate that an automated
response would be foolish and foolhardy.
6.1.4.2 Conducting Intelligence Preparation of the Battlefield to
Support a Cyberattack
In principle, conducting intelligence preparation of the battlefield
(IPB) to support a cyberattack is not different from conducting other
non-destructive cyberexploitation missions. For example, U.S. electronic
13 United Press International, “Air Force Seeks Automated Cyber-response,” Jan. 2,
2008, at 4:55 p.m.

OCR for page 214
DECISION MAKING AND OVERSIGHT
reconnaissance airplanes often fly missions near the border of another
nation in order to “light up” that nation’s air defense radars. By moni-
toring those radar emissions, they collect information on the waveforms
and positions of a potential adversary’s radar systems; such information
could be useful in the event that an air strike might be launched against
that nation.
On the other hand, that nation might well regard those reconnais-
sance flights as provocative. The airplane it is monitoring just outside its
airspace could be armed, and the plane’s presence there could indicate
hostile intent. The essential problem is that the boundaries of its national
airspace provide almost no time for its air defense forces to react should
the airplane turn out to have immediate hostile intent. Even if it is known
to be unarmed, it is most likely to be a reconnaissance airplane collect-
ing information that could be useful in the event that an air strike was
launched against that nation. If these reconnaissance flights were taking
place during a period of peacetime tension with the United States, it is
easy to see how they might further exacerbate those tensions.
Missions of this kind fall squarely into the category of those that must
be reported to senior policy makers. The IPB mission for a destructive
cyberattack falls into the same category. In order to gather the necessary
intelligence, an adversary’s network must be mapped to establish topol-
ogy (which nodes are connected to which other nodes). Ports are “pinged”
to determine what services are (perhaps inadvertently) left open to an
outside intruder, physical access points are located and mapped, operat-
ing system and application vulnerabilities are identified, sympathizers
with important access privileges are cultivated, and so on.
However, there are at least three important differences between IPB
for cyberattack and other kinds of intelligence collection. First, a U.S. gov-
ernment effort to conduct IPB for many kinds of cyberattack will be taking
place against a background of other activities (e.g., probes and pings) that
are not being conducted by the U.S. government. Second, network con-
nectivity may be such that “limited” intelligence probes and other inves-
tigations of a potential adversary’s networks will inadvertently reach very
sensitive areas. Third, the dividing line between a tool intended to collect
information on an adversary’s systems and a weapon intended to destroy
parts of those systems may be very unclear indeed.
The first factor above may reduce the sensitivity of the nation being
probed—and indeed, the U.S. IPB effort is likely to be undertaken in
a way that does not reveal its origin. But the second two factors may
increase sensitivity, and possibly lead to entirely unanticipated reactions
on the part of the adversary.

OCR for page 214
TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES
6.2 LEGISLATIVE BRANCH
The legislative branch has two basic roles regarding government
operations—budget and oversight. In addition, the Constitution gives
the legislative branch the sole authority to declare war.
6.2.1 Warmaking Powers
Article I, Section 8 of the U.S. Constitution authorizes the Congress
to “declare war” and gives Congress numerous powers over the military,
including the powers to “raise and support armies,” to “provide and
maintain a navy,” and to “make rules for the government and regulation
of the land and naval forces.” Article II, Section 2 gives the President the
“executive power” and provides that he “shall be commander in chief of
the Army and Navy of the United States.”
At the time the Constitution was written, the primary purpose
of national armed forces was to fight wars, and these provisions were
intended to give Congress primary responsibility for the decision to ini-
tiate war, and to give the President the primary responsibility for the
conduct of war.14 Over time, as the international powers and responsi-
bilities of the United States have grown, and as the standing U.S. armed
forces have grown, the President has asserted more and more authority
to initiate armed conflicts in the absence of authorization from Congress.
Moreover, it has been argued that the notion of declaring war as a prelude
to armed combat is simply irrelevant in the modern world.
Self-defense is the least controversial basis for the president to direct
the armed forces to engage in combat. Madison said at the Convention
that the “declare war” clause left to the President the power to “repel sud-
den attacks” without congressional authorization.15 The Supreme Court
upheld Lincoln’s authority to act against the confederacy in the absence
of congressional authorization.16 President Clinton invoked self-defense
in justifying the 1993 cruise missile strikes on Iraq in response to the
attempted assassination of President George H.W. Bush.17
For some of the instances not involving self-defense in which U.S.
armed forces have been deployed and used, presidents have sought and
14 See, e.g., Abraham D. Sofaer, War, Foreign Affairs and Constitutional Power: The Origins,
Ballinger Publishing, Cambridge, Mass., 1976.
15 The Records of the Federal Convention of 1787, at 318 (1911), Max Farrand, ed., rev.
edition, 1966.
16 See Prize Cases, 67 U.S. 635 (1863) (“If a war be made by invasion of a foreign nation,
the President is not only authorized but bound to resist force by force”).
17 See “Letter to Congressional Leaders on the Strike on Iraqi Intelligence Headquar-
ters,” Pub. Papers of William J. Clinton 940, 1993.

OCR for page 214
DECISION MAKING AND OVERSIGHT
received explicit congressional authorization, although they have always
claimed that their authority as commanders-in-chief was sufficient to
take such actions and that in essence seeking congressional authorization
was a courtesy extended to the legislative body. But matters are more
complicated and controversial when the President acts without invoking
self-defense and also without congressional authorization.
The President has acted in such a manner in many circumstances
in U.S. history, most notably in Korea and Kosovo, but also in dozens
of other smaller-scale conflicts. Presidents have asserted this authority,
Congress often complains and opposes it, and the Supreme Court has not
squarely addressed it.
To address such cases, Congress passed the War Powers Resolution
(WPR) in 1973 (PL 93-148). Passed over then-President Nixon’s veto, the
WPR requires the President to report to Congress in 48 hours “in any case
in which United States Armed Forces are introduced (1) into hostilities or
into situations where imminent involvement in hostilities is clearly indi-
cated by the circumstances; (2) into the territory, airspace or waters of a
foreign nation, while equipped for combat, except for deployments which
relate solely to supply, replacement, repair, or training of such forces; or
(3) in numbers which substantially enlarge United States Armed Forces
equipped for combat [who are] already located in a foreign nation,” and
requires the President to “terminate any such use of armed forces” within
60 days (subject to a one-time 30-day extension).
The tensions between the executive and legislative branches of gov-
ernment over war-making authority are palpable. Many analysts believe
that the intent of the Founding Fathers was to grant the Congress a sub-
stantial decision-making role in the use of U.S. armed forces, and if mod-
ern conflict has rendered obsolete the notion of a “declaration of war,”
mechanisms must still be found to ensure that Congress continues to play
a meaningful role in this regard. Others acknowledge the obsolete nature
of declarations of war, but conclude that executive branch authority can
and should fill the resulting lacunae.
This report does not seek to resolve this controversy, but observes that
notions of cyberconflict and cyberattack will inevitably cause more confu-
sion and result in less clarity. Consider, for example, the meaning of the
term “hostilities” in the War Powers Resolution. At the time the resolution
was crafted, cyberattack was not a concept that had entered the vocabu-
lary of most military analysts. In the context of the resolution, hostilities
refer to U.S. land, air, and naval units engaging in combat. The resolution
also refers to the foreign deployments of combat-equipped U.S. forces.
To the extent that the War Powers Resolution was intended to be a
reassertion of congressional authority in warmaking, it is very poorly
suited to U.S. forces that engage in cyber combat or launch cyberattacks.

OCR for page 214
4 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES
What conditions would define “hostilities” when military cyberattacks
can be launched against adversary computers or networks? What counts
as “deployments” of forces capable of cyberattack into foreign territory?
It is thus an open question whether a cyberattack launched by the United
States would constitute the introduction of armed forces in another coun-
try within the meaning of the resolution.
When it comes to sorting out normative and practical issues con-
cerning congressional and presidential prerogatives, cyberwarfare poses
issues even more difficult for interpreting the War Powers Resolution than
the already-difficult issues associated with traditional kinetic conflict.
6.2.2 Budget
In the preceding section, the relative invisibility of cyberattack activi-
ties is mentioned as a problem for higher authority. Cyberattack capa-
bilities are also not particularly visible to the legislative branch. In part,
the veil of secrecy around cyberattack makes it more invisible than if
the subject were not classified. But just as important is the fact that the
funding for the development and deployment of cyberattack capabili-
ties is both minuscule and deliberately obscured in unclassified budget
justifications.
For example, in the FY 2008 DOD budget request, one request for
the “demonstration of offensive cyber operations technologies allowing
attack and exploitation of adversary information systems” by the Air
Force is contained in a program element component of $8.012 million; the
program element is entitled “Advanced Technology Development,” and
the component “Battlespace Information Exchange.”18 A second request
for developing cyber operations technologies is contained in a program
element of $11.85 million for FY 2008; this program element is entitled
“Applied Research on Command, Control, and Communications.”19
A reasonable observation is that development and demonstration of
cyberattack capabilities are distributed over multiple program elements,
18 See http://www.dtic.mil/descriptivesum/Y2008/AirForce/0603789F.pdf.
19 In FY 2008, one component of this program element (“communications technology”)
called for activities to “initiate development of access techniques allowing “cyber paths” to
protected adversary information systems through a multiplicity of attack vectors; initiate
development of stealth and persistence technologies enabling continued operation within
the adversary information network; initiate programs to provide the capability to exfiltrate
any and all types of information from compromised information systems enabling cyber
intelligence gathering to achieve cyber awareness and understanding; initiate technology
programs to deliver D5 (deny, degrade, destroy, disrupt, and deceive) effects to the adver-
sary information systems enabling integrated and synchronized cyber and traditional kinetic
operations.” See http://www.dtic.mil/descriptivesum/Y2008/AirForce/0602702F.pdf.

OCR for page 214
DECISION MAKING AND OVERSIGHT
each of which is relatively small in financial terms. Budget oversight is
thus difficult to execute, even though it is intimately related to acquisition
policy. In addition, the ability to increase certain attack capabilities “for
free” (e.g., through the use of botnets and automated production func-
tions) negates to a considerable extent the ability of the legislative branch
to use budget totals for restraining or limiting U.S. military capabilities.
A low budget profile supports low visibility. Proponents of a given
capability would prefer low visibility for programs supporting that capa-
bility, especially if the capability were controversial in nature. (Low vis-
ibility can also be achieved in other ways, such as by designating a pro-
gram as “special access.”)
6.2.3 Oversight (and Notification)
In addition to budgetary oversight, the legislative branch also pro-
vides operational oversight of government programs. For example, the
executive branch is required by law (50 U.S.C. 413(a)(1)) to keep the
congressional intelligence committees “fully and currently informed”
of all U.S. intelligence activities, including any “significant anticipated
intelligence activity.”20 Both intelligence gathering and covert action are
included under this rubric, and thus cyberexploitation and covert action
cyberattacks would have to be reported to these committees. These report-
ing requirements are subject to a number of exceptions pertaining to sen-
sitivity and possible compromise of intelligence sources and methods, or
to the execution of an operation under extraordinary circumstances.
Certain DOD operations have also been subject to a notification
requirement. Section 1208 of the FY 2005 Defense Authorization Act gave
the secretary of defense the authority to expend up to $25 million in any
fiscal year to “provide support to foreign forces, irregular forces, groups,
or individuals engaged in supporting or facilitating ongoing military
operations by United States special operations forces to combat terror-
ism.” In the event that these funds were used, the secretary of defense was
required to notify the congressional defense committees expeditiously
and in writing, and in any event in not less than 48 hours, of the use of
such authority with respect to that operation.
Yet another precedent for notification in support of oversight is the
requirement for the attorney general to report annually to Congress and
the Administrative Office of the United States Courts indicating the total
20 A discussion of this requirement can be found in Alfred Cumming, Statutory Pro-
cedures Under Which Congress Is to be Informed of U.S. Intelligence Actiities, Including Coert
Actions, Congressional Research Service memo, January 18, 2006, available at http://www.
fas.org/sgp/crs/intel/m011806.pdf.

OCR for page 214
TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES
number of applications made for orders and extensions of orders approv -
ing electronic surveillance under the Foreign Intelligence Surveillance
Act, and the total number of such orders and extensions either granted,
modified, or denied.
To the best of the committee’s knowledge, no information on the
scope, nature, or frequency of cyberattacks conducted by the United States
has been made regularly or systematically available to the U.S. Congress
on either a classified or an unclassified basis.